b"TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                    Used Information Technology Assets\n                   Are Being Properly Donated; However,\n                Disposition Procedures Need to Be Improved\n\n\n\n                                           April 25, 2014\n\n                              Reference Number: 2014-20-021\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Phone Number / 202-622-6500\n E-mail Address / TIGTACommunications@tigta.treas.gov\n Website        / http://www.treasury.gov/tigta\n\x0c                                                  HIGHLIGHTS\n\n\nUSED INFORMATION TECHNOLOGY                           technology equipment that cannot be located\nASSETS ARE BEING PROPERLY                             are written off; however, these lost items are not\nDONATED; HOWEVER, DISPOSITION                         reported to the Computer Security Incident\nPROCEDURES NEED TO BE IMPROVED                        Response Center as required.\n                                                      Further, documentation of disposal actions can\n                                                      be improved, and the inventory system does not\nHighlights                                            archive electronic asset disposal data.\n\nFinal Report issued on April 25, 2014                 WHAT TIGTA RECOMMENDED\n                                                      TIGTA recommended that the Chief,\nHighlights of Reference Number: 2014-20-021           Agency-Wide Shared Services, reemphasize the\nto the Internal Revenue Service Chief                 importance of completing new disposal forms\nTechnology Officer and the Chief, Agency-Wide         when changes are identified and ensure that\nShared Services.                                      updated procedures reflect the policy change\nIMPACT ON TAXPAYERS                                   requiring the use of Standard Form-122,\n                                                      Transfer Order Excess Personal Property, when\nThe IRS Information Technology and                    transferring Federal electronic assets. TIGTA\nAgency-Wide Shared Services organizations             recommended that the Chief Technology Officer\nwork together to dispose of the IRS\xe2\x80\x99s information     ensure that offices complete and maintain\ntechnology equipment. If the IRS\xe2\x80\x99s processes          documentation for each asset to provide an\nassociated with the disposition of its information    audit trail regarding the sanitizing and verifying\ntechnology equipment are not effective, the risk      of storage media, report lost or stolen\nof loss, theft, or inadvertent release of sensitive   information technology equipment within\ninformation is increased, which can reduce the        one hour after detection, and report assets\npublic\xe2\x80\x99s confidence in the IRS\xe2\x80\x99s ability to           written off as lost to the Computer Security\neffectively monitor and use its resources.            Incident Response Center and TIGTA. Finally,\n                                                      the Chief Technology Officer should ensure that\nWHY TIGTA DID THE AUDIT                               the Knowledge Incident/Problem Services Asset\nThis audit is included in TIGTA\xe2\x80\x99s Fiscal              Management (KISAM) system's archiving\nYear 2014 Annual Audit Plan and addresses the         mechanism is developed.\nmajor management challenge of Security for            IRS management agreed with our\nTaxpayer Data and Employees. The overall              recommendations. The IRS plans to update its\nobjectives of this review were to validate the        standard operating procedures to ensure that\naccuracy of the disposal asset inventory and          disposal forms are free of all edits and markups.\ndetermine the effectiveness of the IRS\xe2\x80\x99s actions      Contingent upon funding availability, the IRS\ntaken or planned to fulfill the requirements set      plans to enhance the KISAM to include an\nforth by the General Services Administration.         electronic form to document storage media\nWHAT TIGTA FOUND                                      sanitization for each asset, update procedures to\n                                                      require that Computer Security Incident\nWhile the IRS is complying with requirements to       Response Center and TIGTA report numbers\ndonate its previously used information                are documented prior to finalizing the asset\ntechnology equipment to non-Federal recipient         record as lost, and ensure that the KISAM\norganizations, there are several processes            system\xe2\x80\x99s archiving mechanism is developed so\nassociated with asset disposal that need              that the information technology asset data can\nimprovement. For example, improved                    be effectively managed in accordance with the\ndocumentation is needed to ensure compliance          IRS\xe2\x80\x99s Records Control Schedule. Finally, the\nwith media sanitization guidelines.                   IRS plans to issue an employee communique\n                                                      reinforcing existing policy for reporting lost or\nControls over the processing of Federal               stolen information technology equipment.\nelectronic assets reported as missing, lost, or\nstolen can be strengthened. Information\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                            April 25, 2014\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n                CHIEF, AGENCY-WIDE SHARED SERVICES\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Used Information Technology Assets Are Being\n                             Properly Donated; However, Disposition Procedures Need to Be\n                             Improved (Audit # 201320022)\n\n This report presents the results of our review to validate the accuracy of the disposal asset\n inventory and determine the effectiveness of the Internal Revenue Service\xe2\x80\x99s (IRS) actions taken\n or planned to fulfill the requirements set forth by General Services Administration Bulletin FMR\n [Federal Management Regulation] B-34. This audit is included in the Treasury Inspector\n General for Tax Administration\xe2\x80\x99s Fiscal Year 2014 Annual Audit Plan and addresses the major\n management challenge of Security for Taxpayer Data and Employees.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix VI.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. If you have any questions, please contact me or Alan Duncan, Assistant\n Inspector General for Audit (Security and Information Technology Services).\n\x0c                    Used Information Technology Assets Are Being Properly Donated;\n                         However, Disposition Procedures Need to Be Improved\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 5\n          Federal Electronic Assets Are Reused and Donated;\n          However, Program Improvements Can Be Made ......................................... Page 5\n                    Recommendation 1:........................................................ Page 7\n\n          Improved Documentation Is Needed to Ensure\n          Compliance With Media Sanitization Guidelines......................................... Page 7\n                    Recommendation 2:........................................................ Page 8\n\n          Controls Over Processing Federal Electronic Assets\n          Reported As Missing/Lost/Stolen Can Be Strengthened .............................. Page 9\n                    Recommendations 3 through 5:......................................... Page 10\n\n          Documentation of Disposal Actions Can Be Improved ................................ Page 10\n                    Recommendations 6 and 7: .............................................. Page 12\n\n          The Inventory System Currently Does Not Archive\n          Electronic Asset Disposal Data ..................................................................... Page 12\n                    Recommendation 8:........................................................ Page 13\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objectives, Scope, and Methodology ....................... Page 14\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 17\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 18\n          Appendix IV \xe2\x80\x93 Sample Certification Letter .................................................. Page 19\n          Appendix V \xe2\x80\x93 Flowchart of Disposal Process .............................................. Page 20\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 21\n\x0c        Used Information Technology Assets Are Being Properly Donated;\n             However, Disposition Procedures Need to Be Improved\n\n\n\n\n                        Abbreviations\n\nCSIRC             Computer Security Incident Response Center\nFEA               Federal Electronic Asset\nFMR               Federal Management Regulation\nFY                Fiscal Year\nGSA               General Services Administration\nIRM               Internal Revenue Manual\nIRS               Internal Revenue Service\nIT                Information Technology\nITAMS             Information Technology Asset Management System\nKISAM             Knowledge Incident/Problem Services Asset Management\nNIST              National Institute of Standards and Technology\nREFM              Real Estate and Facilities Management\nSF                Standard Form\nTIGTA             Treasury Inspector General for Tax Administration\nUNS               User and Network Services\n\x0c                Used Information Technology Assets Are Being Properly Donated;\n                     However, Disposition Procedures Need to Be Improved\n\n\n\n\n                                           Background\n\nIn October 2009, President Obama signed into law Executive Order 13514, Federal Leadership\nin Environmental, Energy, and Economic Performance,1 with the intent to create a clean energy\neconomy that would increase the Nation\xe2\x80\x99s prosperity, promote energy security, protect the\ninterest of taxpayers, and safeguard the health of our environment. Executive Order 13514 also\nstates that the Federal Government is to lead by example. To fulfill Executive Order 13514\xe2\x80\x99s\nrequirements, the General Services Administration (GSA) developed guidance for Federal\nagencies to follow that included establishing a comprehensive and transparent Governmentwide\npolicy on used Federal electronics that maximizes reuse, clears data and information stored on\nused equipment, and ensures that all Federal electronics are processed by certified recyclers.\nOn February 29, 2012, the GSA issued GSA Bulletin FMR [Federal Management Regulation]\nB-34, Disposal of Federal Electronic Assets, which identifies specific categories of property2\ntargeted as Federal Electronic Assets (FEA) for disposal under the provisions of the bulletin. In\naddition, GSA Bulletin FMR B-34 reminds Federal agencies to follow the National Institute of\nStandards and Technology (NIST) recommendations for cleaning storage media (e.g., hard\ndrives), establishes the due date for filing annual reports with the GSA, and provides a sequence\nfor disposing of FEAs. The sequence for disposing of property encourages Federal agencies to\nuse every opportunity to reuse its functional FEAs (either within the agency or by transferring it\nto another agency or donating the equipment to an eligible nonprofit organization). If an agency\ndecides the FEA should be abandoned or destroyed, then it must provide the FEA to a certified\nrecycler or refurbisher. The Internal Revenue Service (IRS) primarily relies on three\norganizations for recycling/refurbishing its FEAs: Mission West Virginia Inc.; Per Scholas; and\nFederal Prison Industries (also known as and hereafter referred to as UNICOR). The IRS also\ndonates FEAs to the Comp 4 Kids organization under the Computers for Learning authority.3\nIn Fiscal Year4 (FY) 2011, the IRS implemented a new software tool to track its information\ntechnology asset inventory \xe2\x80\x93 the Knowledge Incident/Problem Services Asset Management\n(KISAM) system. Prior to deployment, the IRS migrated inventory data from its predecessor\nsystem, the Information Technology Asset Management System (ITAMS). However, assets that\n\n\n\n1\n  Exec. Order No. 13514, Federal Leadership in Environmental, Energy, and Economic Performance,\n3 C.F.R. 52117 (2009).\n2\n  Examples include Federal Supply Class 3610 \xe2\x80\x93 copiers and Federal Supply Group 70 \xe2\x80\x93 desktop/laptop computers,\nprinters, peripherals, and electronic components.\n3\n  See Computers for Learning website: www.computers.fed.gov.\n4\n  A 12-consecutive-month period ending on the last day of any month. The Federal Government\xe2\x80\x99s fiscal year begins\non October 1 and ends on September 30.\n                                                                                                        Page 1\n\x0c                 Used Information Technology Assets Are Being Properly Donated;\n                      However, Disposition Procedures Need to Be Improved\n\n\n\nwere in a final disposition status5 were not migrated over to the KISAM system and remained\navailable in a separate database for research after the ITAMS application was taken offline in\nMarch 2012.\nDuring FYs 2009 through 2012, the IRS retired more than 152,000 FEAs. Table 1 provides our\nanalysis of the number of retired FEAs by type of asset. This table shows that desktop and\nlaptop computers top the list with more than 63,000 and 44,000, respectively.\n                        Table 1: Number of Retired FEAs by Asset Type\n                                            (FYs 2009 through 2012)\n\n                              Asset Type                 Number of Items Retired\n                        Desktop Computers                             63,031\n                        Laptop Computers                              44,734\n                        Printers6                                     39,073\n                        Servers                                        4,335\n                        Copiers7                                          836\n                        Total                                       152,009\n                       Source: Treasury Inspector General for Tax Administration (TIGTA)\n                       analysis of ITAMS information dated March 2012 and KISAM system\n                       information dated August 2012.\n\nTwo organizations within the IRS share responsibility for disposing of FEAs: 1) User and\nNetwork Services (UNS) within the Information Technology (IT) organization and 2) Real\nEstate and Facilities Management (REFM) within the Agency-Wide Shared Services\norganization. Within the UNS organization, the Service Asset and Configuration Management\norganization\xe2\x80\x99s Hardware Asset Management office is responsible for providing oversight,\ncoordination, and guidance on managing the information technology equipment enterprise-wide.\nThis includes developing asset management policies, developing and improving processes for\nasset management and control, and working closely with asset owners enterprise-wide.\nThe REFM organization helps the IRS mission by providing policy, oversight, and strategic\nplanning for the agency\xe2\x80\x99s personal property assets. IRS management indicated that in FY 2012\nthe REFM organization implemented new policies and procedures to enhance the organization\xe2\x80\x99s\nsupporting operations. For example, the REFM organization:\n\n\n\n5\n  Assets with a disposal code assignment indicating the assets are no longer in the IRS\xe2\x80\x99s inventory.\n6\n  Printers such as desktop, portable, network, and specialized.\n7\n  Copiers consist of floor/table models and color/noncolor.\n                                                                                                       Page 2\n\x0c              Used Information Technology Assets Are Being Properly Donated;\n                   However, Disposition Procedures Need to Be Improved\n\n\n\n   \xef\x82\xb7   Designed, developed, and launched a website for REFM Property and Asset\n       Management, which is a \xe2\x80\x9cone-stop-shop\xe2\x80\x9d for all stakeholders.\n   \xef\x82\xb7   Managed aged assets awaiting final disposition by reducing the percentage of aged assets\n       from approximately 50 percent to 5 percent over 18 months.\n   \xef\x82\xb7   Provided Property Officers with the IRS\xe2\x80\x99s Property Management and KISAM system\n       Asset Manager Training, GSA\xe2\x80\x99s GSAXcess training, and a detailed Property Review\n       Checklist.\n   \xef\x82\xb7   Conducted research to ensure that new sources, such as the U.S. Postal Service and\n       Computers for Youth, have an opportunity to receive FEAs to help fulfill their missions.\nDuring FYs 2010 and 2011, the UNS organization reorganized to become a high-performing\norganization built upon reengineered service delivery processes, updated technology tools, and\nindustry best practices. Under this new blueprint, the UNS organization established six field\noperations areas and four depot locations (Brookhaven, New York; Memphis, Tennessee; Austin,\nTexas; and Ogden, Utah) and subsequently centralized the disposition of its laptop and desktop\ncomputers at two of the depot locations. Additionally, one of the two depots has responsibility\nfor assisting and coordinating with other offices regarding the disposition of other information\ntechnology equipment. In addition, the REFM organization has employees in each field\noperations area and at each depot location to facilitate asset management through a life cycle\napproach toward the effective and efficient accountability, use, maintenance, protection, transfer,\nand disposition of personal property in accordance with governing Federal regulations. Finally,\nIRS management stated that the REFM organization supports the IRS goals, objectives, and\nrecycling efforts of the Federal management of personal property by:\n   \xef\x82\xb7   Managing its inventory effectively.\n   \xef\x82\xb7   Maximizing reuse of information technology assets.\n   \xef\x82\xb7   Enhancing the recycling of information technology assets to meet national disposition\n       objectives.\n   \xef\x82\xb7   Ensuring that property managers are well trained.\nThe IT organization initiates the disposal process by identifying equipment that is beyond its\nuseful life. It then completes the required paperwork and ensures that storage media has been\nsanitized. Upon completion of these actions, the IT organization updates the KISAM system\ninventory to reflect that the disposed property belongs to the REFM organization. The REFM\norganization maintains control of the equipment throughout the remainder of the disposal\nprocess. Appendix V provides a flowchart detailing this process.\n\n\n\n\n                                                                                            Page 3\n\x0c              Used Information Technology Assets Are Being Properly Donated;\n                   However, Disposition Procedures Need to Be Improved\n\n\n\nThis review was performed in the UNS and REFM organizations\xe2\x80\x99 offices located at the Austin\nCampus in Austin, Texas; the Brookhaven Campus in Islip, New York; and the New Carrollton\nFederal Building in New Carrollton, Maryland, during the period October 2012 through\nDecember 2013. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objectives. Detailed\ninformation on our audit objectives, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                        Page 4\n\x0c                   Used Information Technology Assets Are Being Properly Donated;\n                        However, Disposition Procedures Need to Be Improved\n\n\n\n\n                                       Results of Review\n\nFederal Electronic Assets Are Reused and Donated; However,\nProgram Improvements Can Be Made\nIRS management advised that they had written agreements to donate FEAs for reuse and recycle\nwith three organizations: Mission West Virginia Inc.; Per Scholas; and UNICOR. However, the\nagreements were still in draft status and undergoing revision at the conclusion of our audit work.\nIn the absence of the written agreements, IRS management provided us with certificates\ndemonstrating that UNICOR had been certified under the Responsible Recycling Program and\nthat Per Scholas had been certified under the e-Stewards Certification Program.8 Although we\ndid not receive a similar certification for Mission West Virginia Inc., IRS management indicated\nthis organization was registered as a Microsoft refurbisher.\nAs previously mentioned, GSA Bulletin FMR B-34 encourages Federal agencies to use every\nopportunity to reuse or donate their FEAs. Table 2 highlights three organizations that received\nthe majority of the IRS donations, in terms of original acquisition cost. The figures presented in\nTable 2 also show that the IRS was donating/reusing its FEAs prior to Executive Order 13514\ntaking affect in FY 2010.\n                      Table 2: Top Three Organizations Receiving FEAs\n                                    (original acquisition cost)\xc2\xa0\n             Organization9\xc2\xa0                FY 2009            FY 2010            FY 2011            FY 2012\n     Comp 4 Kids                                              $4,867,960        $10,523,696        $10,936,297\n     Mission West Virginia Inc.           $97,895,576       $12,530,868         $41,909,067         $9,823,660\n     Per Scholas                          $15,410,144         $5,500,495           $433,362           $329,510\n     Total Original Acquisition\n     Cost of Items Donated to the\n                                         $113,305,720       $22,899,323         $52,866,125        $21,089,467\n     Top Three Non-Federal\n     Agencies\n    Source: TIGTA analysis of annual reports filed with the GSA.\n\n\n\n8\n  The e-Stewards Certification Program is designed to enable individuals and organizations that dispose of their old\nelectronic equipment to identify easily recyclers that adhere to the highest standard of environmental responsibility\nand worker protection. The e-Stewards Certification is open to electronics recyclers, refurbishers, and processors.\n9\n  The IRS also donates information technology assets to UNICOR. These donations are reported by UNICOR on its\nannual report; therefore, the IRS does not report the donations to avoid double counting.\n                                                                                                             Page 5\n\x0c                 Used Information Technology Assets Are Being Properly Donated;\n                      However, Disposition Procedures Need to Be Improved\n\n\n\nGSA Bulletin FMR B-34 encourages agencies to use every opportunity to participate in reusing\nand donating equipment; however, the current annual reporting mechanism only captures the\nname of the non-Federal recipient, the classification of the donated equipment, the authority used\nto donate the equipment, and the total original acquisition cost of the donated or reused items.\nWithout a count of the number of FEAs donated or reused, the IRS and the GSA cannot fully\nmeasure progress in complying with GSA Bulletin FMR B-34. A more meaningful measure\nwould be to provide a count of the number of FEAs donated or reused. For example, the\nEnvironmental Protection Agency sponsors a program called the Federal Electronics Challenge,10\nwhich requires agency participants to complete an annual report to measure progress against\nprogram goals, and the report requires agencies to provide the number of items donated or\nreused.\nFurther, the IRS cannot accurately report whether it donated FEAs as part of the Computers for\nLearning Program or used a certified recycler as required by GSA Bulletin FMR B-34. While\nthe GSA Annual Report of Property Furnished to Non-Federal Recipients includes a column for\ndisclosing the type of authority11 the IRS exercised when disposing of its FEAs, the instructions\ndistributed to the REFM organization employees did not include specific guidance to ensure that\nthe employees correctly and consistently recorded the authority that permitted the transfer of the\nFEAs. In addition, the instructions stated that the information needed to complete the annual\nreports could be found in the property disposal records maintained by each office. However, the\ndisposal records maintained by each office do not provide information that identifies the\nauthority that permitted the equipment transfer. Instead, the employee must rely on the limited\navailable information (e.g., name of the recipient organization, condition code status of the\ninformation technology equipment) to complete the authority section of the annual report.\nAs a result, the FY 2012 Annual Report of Property Furnished to Non-Federal Recipients had\nmultiple entries for Mission West Virginia Inc. showing it received FEAs under the following\nauthorities: Certified R2 Recycler; Certified Recycler \xe2\x80\x93 Other; and Computers for Learning\nProgram. Although it is possible for Mission West Virginia Inc. to receive property for\neducational purposes and for recycling of parts, there is currently no process in place for\nemployees to ensure the accuracy of authorities recorded on the annual report. If the appropriate\nauthorities are not captured, it will be difficult for the IRS to show it complies with GSA Bulletin\nFMR B-34 and Executive Order 13514.\nUpon this discovery, IRS management implemented corrective actions for FY 2013 annual\nreporting. The REFM organization issued to its property officers internal guidance on how to\nuse the \xe2\x80\x9cAuthority\xe2\x80\x9d field and to add a column to their log/spreadsheet for each transaction to\n\n\n10\n   The Federal Electronics Challenge assists Federal agencies and facilities in meeting the goals of Executive\nOrder 13514 and facing the challenges posed by electronics acquisition, use, and disposal.\n11\n   The authority describes the type of non-Federal recipient receiving the property. Examples include, Computers\nfor Learning Program \xe2\x80\x93 EO12999, Certified R2 Recycler, and Certified Recycler \xe2\x80\x93 Other.\n                                                                                                           Page 6\n\x0c              Used Information Technology Assets Are Being Properly Donated;\n                   However, Disposition Procedures Need to Be Improved\n\n\n\nidentify the \xe2\x80\x9cAuthority\xe2\x80\x9d for which the FEAs were donated to ensure consistency when preparing\nthe annual property reports for the GSA.\n\nRecommendation\nRecommendation 1: The Chief, Agency-Wide Shared Services, should require offices\nresponsible for disposal of Federal Electronic Assets to maintain a count of the number of FEAs\ndonated to non-Federal recipients. The GSA Office of Personal Property Policy Division\nUtilization and Disposal should also be contacted to determine if information on the number of\nFEAs donated to non-Federal recipients would add value to the GSA annual reporting process.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS will\n       maintain a count of FEAs transferred to non-Federal recipients. The IRS will also\n       contact the GSA Office of Personal Property Policy Division with TIGTA\xe2\x80\x99s\n       recommendation and inquire whether the FEA count could add value to the Federal\n       agencies\xe2\x80\x99 annual property reports.\n\nImproved Documentation Is Needed to Ensure Compliance With\nMedia Sanitization Guidelines\nGSA Bulletin FMR B-34 encourages agencies to follow the recommendations outlined in\nNIST 800-88, Guidelines for Media Sanitization, and to develop consistent agency practices to\nclean hard drives and other storage devices in order to protect sensitive data. Section 4.8 of\nNIST 800-88 states that a Certificate of Sanitization (see Appendix IV for a sample) should be\ncompleted for each piece of electronic media that has been sanitized. The guidance further states\nthat the decision regarding completion of a certificate depends upon the confidentiality level of\nthe data on the media and suggests the documentation can be in either paper or electronic form.\nInternal Revenue Manual (IRM) sections 10.8.1, Information Technology Security, and 2.14.1,\nAsset Management, state that a letter or form stipulating that the sanitization and verification\nprocedures have been complied with shall be signed by the responsible person who performed\nthe procedures and shall accompany the device when it is turned in for disposal.\nWhile the IRS uses the appropriate disk wipe utility or degaussing techniques to sanitize storage\nmedia, it needs better documentation to confirm each piece of electronic media has been\nsanitized. The IRS includes a certification statement on its documentation when disposing of\nFEAs, as follows:\n       I certify that all IT equipment with permanent data/media storage listed on this\n       form have been removed or wiped clean of any sensitive or proprietary\n       information and software by use of a disk wipe utility according to the governing\n       IRM policy and procedures, and verification of this removal or wiping has been\n       performed.\n\n                                                                                           Page 7\n\x0c                 Used Information Technology Assets Are Being Properly Donated;\n                      However, Disposition Procedures Need to Be Improved\n\n\n\nIRS personnel believe this certification statement complies with the requirements outlined in\nNIST 800-88. The current certification statement is computer generated by the automated\nStandard Form (SF)-120, Report of Excess Personal Property, database program. According to\ninstructions for this program, users will be prompted with a question asking if they are\n\xe2\x80\x9cexcessing computer processing units.\xe2\x80\x9d12 If the SF-120 contains computers with data or storage\nmedia, the user should answer yes. Based on our review of disposal documentation, it is not\nuncommon for this documentation to contain hundreds of line items of information technology\nequipment and FEAs. Sometimes the documents contain all computers, other times the\ndocuments contain a mix of assets including computers, smartphones, printers, and fax machines.\nWe observed the sanitization and verification process at one of the two depot locations.13 One\nindividual sanitized the storage media of those items prepared for disposal, while another\nindividual verified the sanitization by reviewing the hard drive sectors to ensure that all data had\nbeen wiped.14 The individuals would document the completion of this process by placing a\nsticker on the equipment and including their initials and date of completion. Another individual,\nseparate from this process, would complete the disposal documentation using the automated\nSF-120 database program. Although that individual worked in the same group with the\nemployees doing the sanitization and verification, that individual did not physically verify the\nitems to ensure that they included the stickers prior to completing the form and including the\ncertification statement. Further, after the information technology equipment leaves the IRS,\nthere is no longer any evidence available to show the dates when the sanitization and verification\noccurred and to ensure that the process was completed by independent parties.\nThe confidential and proprietary nature of the data stored on IRS media devices places these\ndevices at a higher risk if the sanitization and verification process is not properly completed.\nAlthough we did not observe any adverse conditions during our audit, we believe the IRS needs\nto implement a more rigorous documentation standard to demonstrate it took appropriate actions\nto sanitize and verify storage devices prior to those devices leaving the IRS. This documentation\nshould be retained with the disposal documentation for the asset.\n\nRecommendation\nRecommendation 2:\xc2\xa0\xc2\xa0The Chief Technology Officer should ensure that offices complete a\nseparate letter or form for each asset and maintain this documentation to provide an audit trail for\nthe process of sanitizing and verifying storage media.\n\n\n\n12\n   The excessing of computer processing units refers to computers with data/media storage units to be disposed of on\nSF-120, Form 1933, Report of Survey, and Miscellaneous Form.\n13\n   We could not observe the process at the second location because of a moratorium on sanitizing storage media that\nwent into effect shortly before our visit.\n14\n   If a storage device was not wiped after two attempts, the depot would send it to another location for degaussing.\n                                                                                                            Page 8\n\x0c                 Used Information Technology Assets Are Being Properly Donated;\n                      However, Disposition Procedures Need to Be Improved\n\n\n\n         Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. Contingent\n         upon funding availability, the IRS will enhance the existing process to include an\n         electronic form within KISAM to document storage media sanitization for each asset.\n\nControls Over Processing Federal Electronic Assets Reported As\nMissing/Lost/Stolen Can Be Strengthened\nIn a prior report,15 we reported that the IRS did not perform sufficient steps to locate information\ntechnology assets in a missing status prior to writing off the equipment as lost. The IRS agreed\nto take corrective action to develop a report that would include appropriate data to help facilitate\nresearching and resolving these assets. During our current review of the disposal process, we\njudgmentally selected16 43 FEAs that were reported in a missing, lost, or stolen status to ensure\ncompliance with procedures. Our review found the following:\n     \xef\x82\xb7   7 FEAs were not reported to the Computer Security Incident Response Center (CSIRC).\n     \xef\x82\xb7   14 FEAs were not timely reported to the CSIRC.\n     \xef\x82\xb7   16 FEAs were not reported to TIGTA.\n     \xef\x82\xb7   2 FEAs could not be evaluated for timeliness because the forms either did not capture the\n         date or the time the incident was reported.\nIRM 10.8.1.4.8, Incident Response, states that all employees and contractors shall report\ncomputer security incidents to the IRS\xe2\x80\x99s CSIRC within one hour after detection. The IRM\ndefines the loss or theft of information technology equipment as a reportable incident, especially\nwhen the loss or theft could result in unauthorized access to systems, IRS information, or an\nindividual\xe2\x80\x99s Personally Identifiable Information. In addition, IRM 2.14.1.13.20.4, Asset\nManagement, Information Technology (IT) Asset Management,17 states that all lost and stolen\nincidents of information technology equipment must also be reported to TIGTA.\nFor the 14 FEAs that were not timely reported to the CSIRC, the lateness ranged from\n103 minutes to 24 days after the incident was detected. Timely reporting of security incidents\nensures that the CSIRC can take the necessary steps to disable devices and reduce the potential\nfor unauthorized access or a data breach.\nA further review of the disposal documentation associated with the 14 FEAs that were not timely\nreported to the CSIRC identified that these items were written off by the IRS after doing research\nto locate the assets. We also identified 878 other information technology assets that were\n\n\n15\n   TIGTA, Ref. No. 2013-20-089, Weaknesses in Asset Management Controls Leave Information Technology Assets\nVulnerable to Loss p. 13 (Sept. 2013).\n16\n   A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n17\n   All subsequent references to IRM 2.14.1.13 are from this titled section.\n                                                                                                            Page 9\n\x0c                    Used Information Technology Assets Are Being Properly Donated;\n                         However, Disposition Procedures Need to Be Improved\n\n\n\nincluded in these disposal documents and written off the inventory system as lost because the\nIRS lost accountability for these assets.\n\nRecommendations\nThe Chief Technology Officer should:\nRecommendation 3:\xc2\xa0\xc2\xa0Reemphasize the importance of reporting lost or stolen information\ntechnology equipment within one hour after detection.\n           Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS will\n           issue an employee communique reinforcing existing policy for reporting lost or stolen\n           information technology equipment. Contingent upon funding availability, the IRS will\n           implement a KISAM enhancement to report and monitor the IRS\xe2\x80\x99s compliance with\n           existing policy.\nRecommendation 4: Update procedures to ensure that information technology assets written\noff as lost are reported to the CSIRC and TIGTA.\n           Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. Contingent\n           upon funding availability, the IRS will update procedures to require the CSIRC and\n           TIGTA report numbers be documented in the KISAM prior to finalizing the asset record\n           as lost.\nRecommendation 5: Ensure that incidents involving the loss or theft of information\ntechnology equipment are reported to TIGTA.\n           Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. Contingent\n           upon funding availability, the IRS will require the TIGTA report number be documented\n           in the KISAM for all equipment reported as lost or stolen to the Information Technology\n           organization.\n\nDocumentation of Disposal Actions Can Be Improved\nWe selected a judgmental sample of 90 FEAs in a pending18 and final disposition status and\nidentified several areas in 79 of the cases in which the IRS can improve its documentation for\nthese actions. For example, two of the FEAs we selected for review were associated with\ndisposal documents that contained assets that were blacked out. Of the 369 assets reflected on\nthese disposal documents and shown as being transferred outside the IRS, 56 were blacked out\nwithout any notations or explanations indicating what had happened to these assets. When we\nasked the IRS to explain the circumstances surrounding the blacked-out assets, it could not recall\nbecause of the time that had elapsed.\n\n18\n     Assets with a disposal code assignment indicating the assets are still in the IRS\xe2\x80\x99s inventory awaiting disposal.\n                                                                                                                Page 10\n\x0c               Used Information Technology Assets Are Being Properly Donated;\n                    However, Disposition Procedures Need to Be Improved\n\n\n\nPrior to the transfer of the information technology equipment from the UNS organization to the\nREFM organization, both parties verify the barcode and serial number of the items listed on the\nSF-120 to ensure that all items have been properly accounted for. According to\nIRM 2.14.1.13.20.2, any corrections, additions, or deletions of items on the SF-120 will require\nIT organization staff to either redo the original SF-120 to match the items verified or to complete\na second SF-120 if additional items are found. Not complying with the procedures to redo the\nSF-120 or not having an explanation documented on the SF-120 describing the circumstance for\nthe blacked-out assets increases the risk or likelihood that these assets could have been stolen.\nWe also identified inconsistencies outlined in the procedures regarding the types of disposal\ndocuments to use when transferring FEAs from the IRS. For example, if the IRS decides it\nneeds to return an item to the vendor, the procedures state that a Form 1933, Report of Survey, or\na Miscellaneous Form should be completed. Whereas if the IRS decides to donate its FEAs to a\nnon-Federal recipient organization, the procedures state that an SF-122, Transfer Order Excess\nPersonal Property, should be completed and a signature/date obtained from a representative of\nthe organization accepting the equipment. IRS management took corrective action to change the\nprocedures to ensure that the SF-122 would be used to document all transfers of FEAs. This\ncorrective action became effective in September 2013.\nThroughout our review, we shared our concerns about other discrepancies we identified relating\nto the documentation supporting the disposition of FEAs. The following list represents\nadditional management actions taken by the IRS to correct these discrepancies:\n    \xef\x82\xb7 According to IRM 2.14.1.13.20.2, the disposal documentation should contain the\n      following data to describe the items being disposed: barcode, serial number, category,\n      manufacturer, and model. Our review of disposal documentation for the 79 previously\n      examined FEAs indicated 58 did not reflect the manufacturer for the items. The IRS\n      agreed with this observation and modified its SF-120 program to ensure that the\n      manufacturer name is included on future SF-120 reports.\n    \xef\x82\xb7 IRM 2.14.1.13.12.7 states that the disposition of equipment depends on the overall\n       condition of the equipment at the time of disposition. Specific codes are entered into the\n       KISAM system that describe the condition of the property. As an example, condition\n       code 4 means the equipment shows some wear but it can be used without significant\n       repair. Further, GSA Bulletin FMR B-34 specifically encourages agencies to reuse or\n       donate FEAs in specific condition codes. We raised concerns that there was no clear\n       guidance in the IRM to explain how the condition codes should be applied to ensure\n       consistency. We also identified some discrepancies in which the condition code in the\n       inventory system did not align with how the item was disposed. For example, an item\n       that was reflected as repairable and that should have been donated was disposed of as\n       scrap. IRS management recognizes there should be a better understanding of the\n       condition codes and has included this item as an agenda item in upcoming meetings with\n       personnel.\n\n                                                                                           Page 11\n\x0c                 Used Information Technology Assets Are Being Properly Donated;\n                      However, Disposition Procedures Need to Be Improved\n\n\n\nRecommendations\nRecommendation 6: The Chief Technology Officer should reemphasize the importance of\ncompleting new disposal forms when changes are identified.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS will\n        update its standard operating procedures to prohibit edits and markups of previously\n        completed disposal forms.\nRecommendation 7: The Chief, Agency-Wide Shared Services, should ensure that IRM\nprocedures are updated to reflect the recent policy change requiring the use of SF-122 when\ntransferring or donating FEAs.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation and will\n        ensure that the policy guidance provided to the REFM territories on September 23, 2013,\n        is included in the next revision of IRM 1.14.4, Personal Property Management, Real\n        Estate and Facilities Management.\n\nThe Inventory System Currently Does Not Archive Electronic Asset\nDisposal Data\nSection 17 of the IRS Records Control Schedule19 provides details regarding the retention\nrequirements for electronic and paper records. It states that system data associated with the asset\nshould be retained until three years after disposition.\nWhen the IRS went live with a new system of records known as the KISAM system in\nAugust 2011, assets in retired status were not migrated to the KISAM system. This left\n400,000 information technology assets in a final disposition status in the predecessor system\nITAMS because the KISAM system archive mechanism had not been completed.20\nThe IRS interim archiving process being used includes maintaining the asset information that\nwas not migrated from the ITAMS as raw data in an Oracle\xc2\xae database. The data are retrievable\nonly by a person who knows the Oracle software, placing a hardship on the organizations that\nmay need easy access to the information in order to complete supplemental assignments.\nAccording to IRS management, there is no urgent need to develop the archiving mechanism\nbecause data in the KISAM system database have not yet reached the retention requirements for\nassets placed in final disposition. The KISAM system would be updated with the archiving\nrequirement in Release 2. However, until this development is completed, the IRS will just retain\n\n19\n   A document that provides mandatory instructions for what to do with records (and nonrecord materials) no longer\nneeded for current Government business.\n20\n   TIGTA, Ref. No. 2013-20-089, Weaknesses in Asset Management Controls Leave Information Technology Assets\nVulnerable to Loss p. 6 (Sept. 2013).\n                                                                                                         Page 12\n\x0c              Used Information Technology Assets Are Being Properly Donated;\n                   However, Disposition Procedures Need to Be Improved\n\n\n\nall asset records in the KISAM system database. While IRS management decided not to\nimplement the KISAM system with an archiving capability, this functionality will be needed in\nthe future to ensure the effectiveness and efficiency of the KISAM system and the research of\ndisposed assets records.\n\nRecommendation\nRecommendation 8:\xc2\xa0\xc2\xa0The Chief Technology Officer should ensure that the KISAM system\xe2\x80\x99s\narchiving mechanism is developed so that information technology asset data can be effectively\nmanaged in accordance with the IRS\xe2\x80\x99s Records Control Schedule.\n       Management\xe2\x80\x99s Response: IRS agreed with this recommendation. Contingent upon\n       funding availability, the IRS will ensure that the KISAM system\xe2\x80\x99s archiving mechanism\n       is developed so that the information technology asset data can be effectively managed in\n       accordance with the IRS\xe2\x80\x99s Records Control Schedule.\n\n\n\n\n                                                                                        Page 13\n\x0c                 Used Information Technology Assets Are Being Properly Donated;\n                      However, Disposition Procedures Need to Be Improved\n\n\n\n                                                                                                  Appendix I\n\n        Detailed Objectives, Scope, and Methodology\n\nOur overall objectives were to validate the accuracy of the disposal asset inventory and\ndetermine the effectiveness of the IRS\xe2\x80\x99s actions taken or planned to fulfill the requirements set\nforth by GSA Bulletin FMR B-34. To accomplish our objectives, we:\nI.      Verified the accuracy of the KISAM system disposed asset inventory that migrated from\n        the ITAMS.\n        A. Identified the criteria for maintaining electronic records for disposed assets.\n        B. Interviewed IRS personnel to identify any recent changes/decisions to the electronic\n           records retention criteria.\n        C. Used migration criteria obtained during a prior audit,1 analyzed ITAMS retired assets,\n           and identified the population of retired assets in the ITAMS.\n        D. Evaluated the results from Step I.C. and identified the number of assets that met the\n           electronic records management criteria.\n        E. Selected a judgmental sample2 of 30 assets from 423,377 assets identified from\n           Step I.D. and reviewed disposal documentation to confirm the accuracy of their\n           retired status. Some of the criteria considered for our judgmental sample included\n           assets with disposal codes 09 (in process of excess) and 16 (missing); assets with a\n           physical inventory date (i.e., manual touch date, Tivoli scan date, barcode scan date,\n           self-certification date) subsequent to the disposal date; and assets with a missing or\n           invalid disposal report number.\n        F. Matched ITAMS retired assets to the KISAM system and identified records that\n           migrated to the KISAM system. (Note: According to the IRS, the only records that\n           migrated to the KISAM system were those assets in the ITAMS as disposal code 09\n           (in process of excess) and 16 (missing)).\nII.     Evaluated whether the IRS used every opportunity to reuse functional FEA in accordance\n        with the requirements outlined in GSA Bulletin FMR B-34.\n        A. Interviewed REFM organization personnel to understand their role in the disposal of\n           FEAs.\n\n1\n  TIGTA, Ref. No. 2013-20-089, Weaknesses in Asset Management Controls Leave Information Technology Assets\nVulnerable to Loss (Sept. 2013).\n2\n  A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n                                                                                                           Page 14\n\x0c              Used Information Technology Assets Are Being Properly Donated;\n                   However, Disposition Procedures Need to Be Improved\n\n\n\n       B. Interviewed IT organization personnel to understand their role in following\n          NIST 800-88, Guidelines for Media Sanitation, for FEAs.\n       C. Identified the organizations the IRS used to recycle its FEAs and validated that they\n          met GSA\xe2\x80\x99s certification requirement, e.g., Responsible Recycling or e-Stewards\n          Certification Programs.\n       D. Reviewed copies of annual reports submitted by the IRS to the Department of the\n          Treasury/GSA for FYs 2009 through 2012 to evaluate the volume of equipment\n          provided to schools or other organizations. We obtained supporting documentation\n          for these summary reports and/or compared these volumes to the ITAMS and KISAM\n          system data.\n       E. Analyzed the ITAMS and KISAM system data for FEA items with condition codes 1\n          (New), 4 (Usable), and 7 (Repairable) to identify any trends for FYs 2009 through\n          2012. For FY 2012 disposals, we obtained disposal documentation to identify how\n          the equipment was disposed, e.g., donated to a school, transferred for\n          refurbishing/reuse.\nIII.   Assessed the effectiveness of the controls over the disposition of FEAs to ensure that the\n       assets and their data are safeguarded from fraud, waste, abuse, and/or the inadvertent\n       disclosure of Personally Identifiable Information.\n       A. Compared REFM organization procedures for asset disposal to the policy outlined in\n          GSA Bulletin FMR B-34.\n       B. Compared REFM and IT organizations\xe2\x80\x99 asset disposal procedures.\n       C. Analyzed data from the KISAM system Asset Manager to identify the population and\n          potential trends/irregularities of FEAs classified as pending or final disposition.\n       D. Using data from Step III.C., selected a judgmental sample of 30 of 60 final excessed\n          FEAs from the Brookhaven Campus in Islip, New York. Our selection criteria\n          included consideration of the following: FEAs in disposal codes other than 00\n          (transfer to the Agency-Wide Shared Services organization) and 09 (in process of\n          excess), assets with an inventory verification date subsequent to the disposal action,\n          assets with missing or invalid disposal report numbers, and assets with an acquisition\n          and disposal date within the same year.\n       E. Using the data from Step III.C., selected a judgmental sample of 30 of 60 FEAs\n          pending disposal at the Brookhaven Campus. Selection criteria included\n          consideration of the following: FEAs in disposal codes 00 (transfer to the\n          Agency-Wide Shared Services organization) and 09 (in process of excess), assets that\n          contained a future warranty expiration date, e.g., FYs 2013 or 2014, and acquisition\n          and disposal date within the same year.\n\n                                                                                          Page 15\n\x0c                 Used Information Technology Assets Are Being Properly Donated;\n                      However, Disposition Procedures Need to Be Improved\n\n\n\n        F. Collaborated with TIGTA\xe2\x80\x99s Office of Investigations and obtained information\n           regarding open and closed investigations involving lost/stolen information technology\n           equipment.\n        G. Identified FEA in the KISAM system designated as lost/stolen/missing and selected a\n           judgmental sample of 30 from 2,166 FEAs.\n        H. Conducted Forrester Research Inc.3 research and identified articles on information\n           technology inventory write-off practices and/or shrinkage rate, i.e., how much\n           theft/loss is acceptable.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objectives: GSA Bulletin FMR B-34, NIST 800-88,\nand the IT and REFM organizations\xe2\x80\x99 policies and procedures relating to the disposition of FEA.\nWe evaluated these controls by interviewing IRS management and staff from the UNS, REFM,\nand Cybersecurity organizations; reviewing policies and procedures outlined in the IRM; and\nreviewing relevant supporting documentation.\n\n\n\n\n3\n Forrester Research Inc. is an independent technology and market research company that provides advice on\nexisting and potential impacts of technology to its clients and the public.\n                                                                                                       Page 16\n\x0c              Used Information Technology Assets Are Being Properly Donated;\n                   However, Disposition Procedures Need to Be Improved\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nDanny Verneuille, Director\nMyron Gulley, Audit Manager\nDiana Tengesdal, Audit Manager\nChinita Coates, Lead Auditor\nRyan Perry, Senior Auditor\nAllen Henry, Auditor\nSarah Shelton, Auditor\nAshley Weaver, Auditor\n\n\n\n\n                                                                                     Page 17\n\x0c             Used Information Technology Assets Are Being Properly Donated;\n                  However, Disposition Procedures Need to Be Improved\n\n\n\n                                                                            Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Chief Information Officer for Operations OS:CTO\nAssociate Chief Information Officer, User and Network Services OS:CTO:UNS\nDirector, Real Estate and Facilities Management OS:A:RE\nDirector, Operations Service Support OS:CTO:UNS:OS\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                                  Page 18\n\x0c        Used Information Technology Assets Are Being Properly Donated;\n             However, Disposition Procedures Need to Be Improved\n\n\n\n                                                               Appendix IV\n\n                    Sample Certification Letter\n\n\n\n\nSource: NIST 800-88, September 2012. PC = Personal Computer.\n\n\n\n\n                                                                    Page 19\n\x0c                Used Information Technology Assets Are Being Properly Donated;\n                     However, Disposition Procedures Need to Be Improved\n\n\n\n                                                                                        Appendix V\n\n                      Flowchart of Disposal Process\n\n\n\n\nSource: IRM 2.14.1, Asset Management, Information Technology (IT) Asset Management, November 2011.\n\n\n\n\n                                                                                                 Page 20\n\x0c   Used Information Technology Assets Are Being Properly Donated;\n        However, Disposition Procedures Need to Be Improved\n\n\n\n                                                    Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 21\n\x0cUsed Information Technology Assets Are Being Properly Donated;\n     However, Disposition Procedures Need to Be Improved\n\n\n\n\n                                                        Page 22\n\x0cUsed Information Technology Assets Are Being Properly Donated;\n     However, Disposition Procedures Need to Be Improved\n\n\n\n\n                                                        Page 23\n\x0cUsed Information Technology Assets Are Being Properly Donated;\n     However, Disposition Procedures Need to Be Improved\n\n\n\n\n                                                        Page 24\n\x0cUsed Information Technology Assets Are Being Properly Donated;\n     However, Disposition Procedures Need to Be Improved\n\n\n\n\n                                                        Page 25\n\x0c"